Method And Apparatus For Measuring Information System Device Integrity And Evaluating Endpoint Posture

ABSTRACT

Methods, devices, and systems disclosed herein measure endpoint user security event susceptibility (e.g., a malware infection) and provide information for endpoint posture evaluation. A relatively small software application may be installed using, for example, a systems management push system where the software runs on each endpoint system and reports back to a central repository or base system. The software runs on machines that it is pushed to and generates a score for that endpoint. That score is a quantification of endpoint user security risk, i.e., the likelihood that a particular endpoint is likely to be the source of a security event at some point in the future. This information may be used to generate a Relative Score for each endpoint so that the endpoints can be ranked from most secure to least secure and an Absolute Score so that a given distributed system can be compared to other distributed systems.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.17/000,306, filed on Aug. 22, 2020, which claims the benefit of U.S.Prov. Pat. App. No. 62/890,519, filed on Aug. 22, 2019. Each applicationreferenced in this paragraph is incorporated by reference as if setforth fully herein.

BACKGROUND Field of the Disclosure

The present disclosure relates generally to methods and devices fordetecting endpoint and/or user susceptibility to create a security eventin information handling systems, and more particularly, methods anddevices for scoring and ranking endpoint users based on the behavioralcharacteristics of the user and the system.

Description of the Related Art

Over the past forty years, since the advent of Windows as the preeminentoperating system for personal computers (and, to a lesser extent, UNIXoperating systems for end users), billions of dollars have been investedin protecting computer systems from attack. Hundreds of softwarecompanies compete in the security space, providing various productsdesigned to protect systems in some specific ways. For example, securitycompanies may provide software packages designed to detect and preventinstallation of malware, i.e., to neutralize an external threat beforeit infects a machine or system. Other companies sell products designedto treat infected machines and prevent the proliferation of malware onceit has already infiltrated a system.

In large companies having several hundred to several thousand computingemployees, a distributed system having a commensurate number ofcomputers or virtual desktops is often required. In order to centrallymanage such a large number of systems, many companies utilizeinformation technology (IT) departments engaged in systems managementand security management, which is the enterprise-wide administration ofdistributed systems and virtual desktops. Systems management andsecurity may involve, for example, software inventory and installation,virus detection and prevention, user activity logging, securitymanagement, etc. Centralized management allows IT departments tomonitor, analyze, and manipulate systems on the distributed network withthe primary goals of improving throughput and preventing attack.

Security assessment services is a mature billion-dollar industrytraditionally with consulting engagements designed to assess nearly allaspects of an enterprise distributed system, such as network perimeter,email and server, cloud, security posture, incident handling,identity/access management, security operations, and many others.However, there is a need in the industry for a product/service thatevaluates the biggest threats to the distributed system: the end userand system configuration. The present disclosure discusses devices andmethods that provide organizations (traditionally corporations andconsulting firms) with a snapshot of device integrity across an entireuser population by quantifying individual endpoint user security risk(i.e., identifying the systems/users that comprise the “weakest links”in a user population). Additionally, a “sophisticated user” score mayalso be summated.

DETAILED DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart showing a method of identifying endpoint usersusceptibility across a distributed computer system according to anembodiment of the present disclosure.

FIG. 2 is a flow chart showing set of instructions fixed in anon-transitory computer-readable medium according to an embodiment ofthe present disclosure.

DETAILED DESCRIPTION OF THE DISCLOSURE

Embodiments of the present disclosure include methods and devices foridentifying endpoint user security event susceptibility (e.g., a malwareinfection) and providing information for endpoint posture evaluation. Inone embodiment, a relatively small software application may be installedusing, for example, a systems management push system where the softwareruns on each endpoint system, reports back to a central repository orbase system, and then, immediately afterward, is deleted on each system,with the entire process completed in a few seconds or less. In anotherembodiment, the software remains on the machine after it runs so that itmay be easily activated again without having to reload the software on aparticular system.

The software application is deliverable in a relatively small package.In one embodiment, the software is less than 5 MB. In anotherembodiment, the software is less than 3 MB. And in yet anotherembodiment, the software is less than 2 MB.

The software runs on any number of machines that it is pushed to andgenerates a score for that endpoint. That score is the quantification ofendpoint user security risk, i.e., the score relates to the likelihoodthat a particular endpoint is likely to be the source of a securityevent at some point in the future. Once the software has been run on allor a subset of the machines in a given deployment, each individualmachine that has been analyzed is ranked from most secure to mostworrisome. The quantification of this information (known as the RelativeScore) immediately communicates to an IT department, an outside systemsmanagement consultant, or another group, which endpoint users pose thebiggest threat to the distributed system, allowing resources to be moreefficiently dedicated to those high-risk users/machines.

Device integrity is measured at each machine that runs the softwareusing a plurality of dimensions, each of which focuses on a particularset of characteristics of the machine. Some of the dimensions that areanalyzed include: management (user hygiene); forensic readiness;defensibility; insider threat indicia; spear phishing surface;exfiltration potential; performance; dark web footprint; valuableemployee indicia; and physical security. Each of these dimensions isdiscussed in more detail herein. It is understood that the dimensionsexplicitly disclosed herein are exemplary. A person of skill in the artwill appreciate that many different dimensions other than thosedisclosed herein are possible.

Throughout this disclosure, the embodiments illustrated should beconsidered as exemplars, rather than as limitations on the presentdisclosure. As used herein, the term “invention,” “device,” “apparatus,”“method,” “disclosure,” “present invention,” “present device,” “presentapparatus,” “present method,” or “present disclosure” refers to any oneof the embodiments of the disclosure described herein, and anyequivalents. Furthermore, reference to various features of the“invention,” “device,” “apparatus,” “method,” “disclosure,” “presentinvention,” “present device,” “present apparatus,” “present method,” or“present disclosure” throughout this document does not mean that allclaimed embodiments or methods must include the reference features.

Although the ordinal terms first, second, third, etc., may be usedherein to describe various elements, components, and/or steps, theseelements, components, and/or steps should not be limited by these terms.These terms are only used to distinguish one element, component, or stepfrom another. Thus, unless expressly stated otherwise, a first element,component, or step discussed below could be termed a second element,component, or step without departing from the teachings of the presentdisclosure. As used herein, the term “and/or” includes any and allcombinations of one or more of the associated list items.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the disclosure.As used herein, the singular forms “a,” “an,” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It is further understood that the terms “comprises,”“comprising,” “includes,” and/or “including” when used herein, specifythe presence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof.

FIG. 1 is a flow chart showing a method 10 of identifying endpoint usersusceptibility across a distributed computer system according to anembodiment of the present disclosure. The method 10 comprises thefollowing steps. In step 12, a software application runs on a pluralityof endpoints on a distributed system. As shown in step 14 information isreceived from at least some of the endpoints. In step 16, a RelativeScore is generated for each of the endpoints from which information wasreceived based on an analysis of a plurality of dimensions, each of thedimensions relating to a particular set of characteristics of a given ofthe plurality of endpoints. Next, in step 18 each of the endpoints isranked from most secure to least secure based on the Relative Scores.

FIG. 2 is a flow chart showing set of instructions 20 fixed in anon-transitory computer-readable medium according to an embodiment ofthe present disclosure. The term “non-transitory,” as used herein, isintended to describe a computer-readable storage medium (or “memory”)excluding propagating electromagnetic signals, but is not intended tootherwise limit the type of physical computer-readable storage devicethat is encompassed by the phrase computer-readable medium or memory.For instance, the term “non-transitory computer readable medium” isintended to encompass types of storage devices that do not necessarilystore information permanently, including for example, random accessmemory (RAM). Program instructions and data stored on a tangiblecomputer-accessible storage medium in non-transitory form may further betransmitted by transmission media or signals such as electrical,electromagnetic, or digital signals, which may be conveyed via acommunication medium such as a network and/or a wireless link.

The instructions 20 provide a series of steps for execution on acomputer or computer system. In step 21, software is pushed from a basesystem to a plurality of endpoints on a first distributed system. Instep 22, the software application is executed at said endpoints. Asshown in step 23, information is received at the base system from atleast some of the plurality of endpoints. In step 24, a Relative Scoreis generated for each of the plurality of endpoints from which theinformation was received based on a set of subscores, with each of thesubscores being associated with one of a plurality of dimensions, andeach of the dimensions relating to a particular set of characteristicsof a given of the plurality of endpoints. In step 25, each of theendpoints is ranked from most secure to least secure based on theRelative Scores. In step 26, the subscores are compared to a set ofsubscores from other distributed systems to generate an Absolute Score.Then, in step 27, the Relative Score and the Absolute Score aredisplayed to at least one user.

As previously noted, information for the endpoints is analyzed using atleast one dimension and, in most cases, a plurality of dimensions.Examples of such dimensions are detailed below.

Management (User Hygiene)

Analysis of the management of a particular endpoint system utilizesinformation relating to the “computing hygiene” of a particular machine.Because the same user (or users) typically work on the same machine, theanalysis also inherently considers the computing habits of the user(s)of that machine. The analysis uses at least one, and usually several,characteristics or attributes of the analyzed system. For example, someof the attributes that may be analyzed in this dimension are the numberof packed files, the number of processes running without version data,and the age of the system. Each of these characteristics is scored,weighted, and summated to provide a Management (User Hygiene) subscore.It is understood that the attributes disclosed herein are merelyexemplary; many other attributes relating to the management (userhygiene) dimension are contemplated.

Forensic Readiness

Another dimension of the analysis of a particular endpoint machine isforensic readiness. This dimension is a measure of the ability of aparticular machine to provide useful information if that machine iscompromised by malware, a virus, or the like. Relevant informationincludes whether or not the operating system auditing/logging featuresare enabled (in many cases these critical features are not on bydefault) such that an investigator performing a forensic analysis on aninfected machine is able to quickly gather and extract informationrelated to machine operation and the malware on that machine. Forexample, some of the attributes that may be analyzed in this dimensioninclude whether or not Superfetch is turned on, appropriate log sizes,and auditing enablement for various directories and registry keys. Manyother attributes may also be included in the analysis. Thus, indirectly,the forensic readiness dimension provides a subscore that reflects howeasily an infected machine can be diagnosed.

Defense

The defense dimension is quantified using information related to thedefensive posture of a particular endpoint system. That is, thisdimension quantifies how prepared a system is to defend itself.Information relating to this dimension includes the number and kind ofsecurity products running on the system and whether those products areup to date. Other relevant information includes whether a firewall isenabled, for example, the Windows standard firewall. Additionalexemplary attributes that relate to the defense score include the statusof the Windows Management Infrastructure (WMI), the enablement of theantivirus software, and the use of disk encryption. Many otherattributes may factor into this subscore as well. Thus, the defensesubscore is a measure of the defensive readiness of an endpoint system.

Insider Threat

The insider threat dimension includes several attributes of an endpointsystem to quantify the likelihood that a particular user within a groupis a malicious actor. Some of the information that relates to theinsider threat subscore includes, for example, the presence of hackertools and the presence of shredding software. Information relating tothese and many other attributes may be used to generate the insiderthreat subscore.

Spear Phishing

Another subscore is generated which quantifies the risk of a particularuser being victimized by a spear phishing attack. Spear phishing is aprominent email-borne variety of a standard phishing attack. Phishingattempts directed at specific individuals or companies have been calledspear phishing. In contrast to bulk phishing, spear phishing attackersoften gather and use personal information about their target to increasethe probability of success. Some of the attributes that relate to thevulnerability of a particular system to spear phishing include, forexample, the diversity of senders and the number of emails sent to aparticular account with attachments. Many other attributes are possible.

Exfiltration

The exfiltration subscore quantifies how easily information can besiphoned off of a particular endpoint system. Some of the attributesthat relate to this dimension are, for example, connections to foreigncountries, split-tunneling of VPN, remote desktop enablement. Many otherattributes are also possible.

Physical Security

The physical security subscore quantifies risk associated with varioussecurity settings on an endpoint computer such as, for example, whetherthe computer has nearby sharing enabled, notifications on lock screen,password on screensaver, and remote wipe software enabled. Many otherrelated settings make factor into the physical security subscore aswell.

The previously discussed dimensions are merely exemplary. Many otherdimensions may be included, each of which can generate its own subscore.Some other possibilities include dimensions that relate to systemperformance, employee value, and the dark web.

A subscore is generated for each dimension that is analyzed. In oneembodiment, the dimension subscores range from 0 to 100. In another,from −1 to 1. In yet another, the subscores and/or weights of thosesubscores are tuned using machine learning techniques. Each of thesubscores are weighted and summated.

According to one embodiment, the scoring algorithm comprises analgorithm that includes an algebraic formula for determining twodifferent scores: 1) a Relative Score; and 2) an Absolute Score.

Relative Score

The scoring algorithm is dependent on the individual subscores and theweights, W_(i), associated with each subscore. The algebraic formula orequation can also be made arbitrarily complex, for example, to includeassociating weights to one or more combinations of subscores.

In one embodiment, the scoring algorithm includes an algebraic equationdefined as a sum of weighted values. For example, the algebraic equationfor the Relative Score can include an equation as given by:

RELATIVE SCORE=Σ_(i=1) ^(M) W _(i),

-   -   where W_(i)=weight of a particular subscore from i=1 to M.        This score is calculated for each endpoint system within a given        deployment and can then be normalized to a given range that is        intuitive to a particular user, such as 1 to 100, for example.        It is understood that many different formulae for weighting and        summating the subscores to arrive at the Relative Score may be        used.

Thus, each system with the deployment receives a Relative Score. Usingthese scores, a report may be generated which ranks the individualsystems, and by implication the associated users, from most secure tomost worrisome. This immediately communicates to an IT department, anoutside systems management consultant, or another group, which endpointspose the biggest threat to the distributed system, and suggests whereresources are most efficiently allocated and/or the corrective actionsthat should be taken.

Absolute Score

An Absolute Score may then be calculated based on the individualsubscores of all systems within the deployment. Similarly as withRelative Score, the Absolute Score can be normalized to particular rangethat clearly communicates the collective endpoint security risk acrossthe entire user population. For example, the Absolute Score may rangefrom 0 to 100, or from −1 to 1, or any other desired range. The AbsoluteScore may be expressed as a number or as a letter, for example, usingthe ubiquitous academic scale from A+ to F. Colors or any otherindicators may be used as a ranking device (e.g., a “green system”indicating a good Absolute Score and a “red system” indicating a poorone). Once a critical mass of Absolute Scores have been accumulated fromvarious organizations, the Absolute Score may be expressed as apercentile (e.g., an Absolute Score of 77%, indicating that theorganization is more secure than 77% of all organizations that have beenanalyzed). Whether the score indicates that a given organization scoresfavorably or poorly in comparison to its peers, the information isalways valuable to the organization. If the organization has a poorAbsolute Score, then management will know that additional resources andattention should be paid to endpoint user security event susceptibility.In the event the organization scores well, then management will knowthat the department or group charged with fortifying the deployment aresucceeding relative to other organizations.

Absolute Scores may be calculated in view of all organizations that havebeen analyzed or across any subset thereof. For example, a Fortune 500company may only want to compare its Absolute Score to other Fortune 500companies. In another example, an organization may want to be comparedonly against other companies of comparable size or similar market cap.Thus, the Absolute Score can be customized to provide a more meaningfulsnapshot of the organization's collective endpoint security.

Where the foregoing disclosure mentions that software (or code) performsan operation, it is understood that the information handling systemperforms the operation in response to the information handling system'sexecution of the software.

Although illustrative embodiments have been shown and described, a widerange of modification, change and substitution is contemplated in theforegoing disclosure and, in some instances, some features of theembodiments may be employed without a corresponding use of otherfeatures. Accordingly, all such modifications are intended to beincluded within the scope of the embodiments. Accordingly, it isappropriate that the appended claims be construed broadly.

We claim:
 1. A method of identifying endpoint user susceptibility acrossa distributed computer system, comprising: running a softwareapplication on a plurality of endpoints on a distributed system, whereinafter said software application runs on one of said endpoints, saidsoftware application is erased from said one of said endpoints;receiving information from at least some of said plurality of endpoints;and ranking each of said endpoints from most secure to least secure. 2.The method of claim 1, further comprising: generating a Relative Scorefor each of said plurality of endpoints from which said information wasreceived based on analysis of a plurality of dimensions, each of saiddimensions relating to a particular set of characteristics of a given ofsaid plurality of endpoints, wherein said ranking of said endpoints isbased on said Relative Scores.
 3. The method of claim 2, wherein saidRelative Score is based on a set of subscores, each of said subscoresassociated with one of said dimensions.
 4. The method of claim 3,further comprising: generating an Absolute Score based on a comparisonof said subscores from each of said endpoints from which information wasreceived and at least one different set of subscores from a differentdistributed computer system.
 5. The method of claim 4, wherein saidAbsolute Score is expressed as a percentile which indicates that saiddistributed computer system is more secure than a percentage of a set ofdifferent distributed computer systems to which said distributedcomputer system was compared.
 6. The method of claim 4, wherein saidcomparison is between a subset of distributed computer systems thatshare a common characteristic.
 7. The method of claim 3, wherein saidRelative Score is a weighted sum of said subscores.
 8. The method ofclaim 1, wherein after said software application runs on one of saidendpoints, said software application is erased from said one of saidendpoints.
 9. The method of claim 1, wherein said software applicationis smaller than 5 megabytes (MB).
 10. The method of claim 1, whereinsaid at least one dimension is selected from a set of dimensionscomprising management (user hygiene), forensic readiness, defensibility,insider threat indicia, spear phishing surface, exfiltration potential,performance, dark web footprint, and valuable employee indicia.
 11. Themethod of claim 10, wherein said set of dimensions further comprisesphysical security.
 12. The method of claim 1, wherein said at least onedimension comprises a management (user hygiene) dimension and a forensicreadiness dimension.
 13. The method of claim 1, wherein each of saiddimensions comprises a comparison of at least one characteristic of oneof said endpoints related to said dimension and an acceptable benchmarkvalue of said characteristic.
 14. A set of instructions fixed in anon-transitory computer-readable medium, comprising: pushing a softwareapplication from a base system to a plurality of endpoints on a firstdistributed system; executing said software application at saidendpoints; erasing said software application from each of said endpointsafter said software application executes at said endpoint; receivinginformation at said base system from at least some of said plurality ofendpoints; ranking each of said endpoints from most secure to leastsecure based on a set of subscores associated with with at least one ofa plurality of dimensions, each of said dimensions relating to aparticular set of characteristics of a given of said plurality ofendpoints; comparing said subscores to a set of subscores from otherdistributed systems to generate a comparative ranking of said firstdistributed system relative to said other distributed systems; anddisplaying one or both of said endpoint ranking and said distributedsystem ranking to at least one user.
 15. The set of instructions ofclaim 14, wherein said ranking of said endpoints constitutes a RelativeScore.
 16. The set of instructions of claim 15, wherein said RelativeScore is a weighted sum of said subscores.
 17. The set of instructionsof claim 14, wherein said software application is smaller than 5megabytes (MB).
 18. The set of instructions of claim 14, wherein saiddistributed system ranking constitutes an Absolute Score.
 19. The set ofinstructions of claim 14, wherein said at least one dimension isselected from a set of dimensions comprising management (user hygiene),forensic readiness, defensibility, insider threat indicia, spearphishing surface, exfiltration potential, performance, dark webfootprint, and valuable employee indicia.
 20. The set of instructions ofclaim 19, wherein said set of dimensions further comprises physicalsecurity.